Recently added to HHS’s public breach tool was a misconfigured server incident that affected 3,334 patients. The entity’s statement was posted on their web site:
We at BioReference Laboratories, Inc., and our subsidiary CareEvolve, Inc., take very seriously our responsibility to protect the privacy and security of our patients’ personal information, as required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and other applicable laws. It is therefore important to us that our patients are made aware of any potential privacy issues with their personal information. This notice is being posted as a precautionary measure to inform our patients of a data security incident that may have involved some patient personal information, and to let them know what we doing, and have already are done, to protect the privacy of this information.
We believe this security incident occurred because a test server used at CareEvolve was inadvertently configured so that it was accessible to the Internet for a brief period earlier this year. This server included records containing patient names, home addresses, telephone numbers, ages, patient/medical record numbers, dates of collection, clinical test data, dates of birth and, in 196 instances, Social Security Numbers. Although we believe that this server was accessed by the automated computer data mining application that Internet search engines use to accelerate their search capabilities, we have found no evidence that our patients’ personal information was improperly used or accessed by any individual seeking another’s personal data. We believe the server was first accessed by one of these automated search engine data mining applications on February 2, 2014 and that the breach incident ended on March 19, 2014. No credit card, bank information or other financial information was released to the Internet.
Upon learning of the incident on March 19, 2014, we immediately had the server taken offline and all indexed files that we could locate on the Internet were immediately removed. We also undertook an extensive internal investigation, hired an independent security firm to conduct a forensic investigation, reviewed our data security and internal safeguards, retained a company to regularly monitor our servers, and implemented enhanced security measures to minimize the risk of any similar incidents in the future. Although we feel confident that we have taken appropriate steps to contain the risk of unauthorized use, we recommend that the affected individuals remain vigilant to prevent misuse of their personal information by, for example, monitoring credit card and bank statements and reporting any fraudulent activity to financial institutions.
We deeply regret that this has happened and understand that our patients and their families may be concerned about their personal information. BioReference is committed to taking all possible steps to safeguard patient personal information, and is offering one year of credit monitoring, identity theft protection and other services to anyone whose information may have been involved, free of charge. We have been able to reach the vast majority of those affected with direct mail notification letters, but if you would like to receive this service, or have any questions about whether your data was involved in this incident, please contact the Privacy Office at:
Email address: [email protected]
Phone number: 800-229-5227 ext 8433Sincerely,
BioReference Laboratories, Inc.
BioReference listed Xand Corporation as the business associate in their submission to HHS. Xand is a facilities-based provider of data center infrastructure and managed services and CareEvolve lists them as a technology partner.